From Pcraghavendra.Prasad at dell.com Thu Feb 24 07:06:12 2022 From: Pcraghavendra.Prasad at dell.com (Prasad, PCRaghavendra) Date: Thu, 24 Feb 2022 12:06:12 +0000 Subject: [Expat-bugs] Regarding libexpat vulnerabilities Message-ID: Hi Team, We are using the python 3.9.5 version, we have upgraded from Python 3.8 to 3.9.5 last year. In 3.9.5 it is using libexpat 2.2.8 version, as part of the Black duck scan, it is showing critical vulnerabilities in libexpat 2.2.8. (CVE-2022-22824 CVE-2022-23990 CVE-2022-23852 CVE-2022-25236 CVE-2022-22823) The solution is to move to libexpat 2.4.4 earlier this month, now it is showing libexpat 2.4.6. I searched over the python communities and bugs and found that a few things are fixed. https://bugs.python.org/issue46400 the above status show it is closed and merged to python for the 2.4.4 version https://bugs.python.org/issue46794 the above bug is still open, this is for version 2.4.6 So our doubt is which python version we need to upgrade to get the latest libexpat 2.4.6? Is there any timeline for when this will get merged? Need your input on this so that we can do the necessary action from our side. Thanks, Raghavendra Internal Use - Confidential -------------- next part -------------- An HTML attachment was scrubbed... URL: